From c281d6454f95c37735fbd938e7e7bb52ae25cc76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Mon, 2 Apr 2018 23:19:31 +0200
Subject: [PATCH 1/3] network: do not assume IPv6 gateway is a link-local
 address

If IPv6 gateway address provided by dom0 isn't a link local address, add
a /128 route to it. Also, add this address on backend interfaces (vif*).

This is to allow proper ICMP host unreachable packets forwarding - if
gateway (address on vif* interface) have only fe80: address, it will be
used as a source for ICMP reply. It will be properly delivered to the VM
directly connected there (for example from sys-net to sys-firewall), but
because of being link-local address, it will not be forwarded any
further.
This results timeouts if host doesn't have IPv6 connectivity.
---
 network/setup-ip        | 3 +++
 network/vif-route-qubes | 7 ++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/network/setup-ip b/network/setup-ip
index 7bc8375..04b4d7b 100755
--- a/network/setup-ip
+++ b/network/setup-ip
@@ -91,6 +91,9 @@ __EOF__
         fi
         /sbin/ifconfig "$INTERFACE" up
         /sbin/route add -host "$gateway" dev "$INTERFACE"
+        if [ -n "$gateway6" ] && ! echo "$gateway6" | grep -q "^fe80:"; then
+            /sbin/route -6 add "$gateway6/128" dev "$INTERFACE"
+        fi
         if ! qsvc disable-default-route ; then
             /sbin/route add default gw "$gateway"
             if [ -n "$gateway6" ]; then
diff --git a/network/vif-route-qubes b/network/vif-route-qubes
index 07506b2..78a7c10 100755
--- a/network/vif-route-qubes
+++ b/network/vif-route-qubes
@@ -40,10 +40,12 @@ if [ "${ip}" ]; then
     # IPs as seen by this VM
     netvm_ip="$ip4"
     netvm_gw_ip=$(qubesdb-read /qubes-netvm-gateway)
+    netvm_gw_ip6=$(qubesdb-read /qubes-netvm-gateway6 || :)
     netvm_dns1_ip=$(qubesdb-read /qubes-netvm-primary-dns)
     netvm_dns2_ip=$(qubesdb-read /qubes-netvm-secondary-dns)
 
     back_ip="$netvm_gw_ip"
+    back_ip6="$netvm_gw_ip6"
 
     # IPs as seen by the VM - if other than $netvm_ip
     appvm_gw_ip="$(qubesdb-read "/mapped-ip/$ip4/visible-gateway" 2>/dev/null || :)"
@@ -106,7 +108,10 @@ if [ "${ip}" ] ; then
         echo -e "*raw\n$iptables_cmd -i ${vif} -j DROP\nCOMMIT" | \
             ${cmdprefix} flock $lockfile ip6tables-restore --noflush
     fi
-	${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}"
+    ${cmdprefix} ip addr "${ipcmd}" "${back_ip}/32" dev "${vif}"
+    if [ "${back_ip6}" ] && [[ "${back_ip6}" != "fe80:"* ]]; then
+        ${cmdprefix} ip addr "${ipcmd}" "${back_ip6}/128" dev "${vif}"
+    fi
 fi
 
 log debug "Successful vif-route-qubes $command for $vif."

From 53c9b45c76052aa923a396be52b348c1a2c3e8a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Tue, 3 Apr 2018 01:01:56 +0200
Subject: [PATCH 2/3] qubes-firewall: handle only traffic originating from VMs

Ignore packets coming from non-vif interfaces early.

Fixes QubesOS/qubes-issues#3644
---
 qubesagent/firewall.py      |  5 +++++
 qubesagent/test_firewall.py | 14 ++++++++++----
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/qubesagent/firewall.py b/qubesagent/firewall.py
index 4b8c3b3..11d70c0 100755
--- a/qubesagent/firewall.py
+++ b/qubesagent/firewall.py
@@ -370,8 +370,12 @@ class IptablesWorker(FirewallWorker):
         # starting qubes-firewall
         try:
             self.run_ipt(4, ['-F', 'QBS-FORWARD'])
+            self.run_ipt(4,
+                ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
             self.run_ipt(4, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
             self.run_ipt(6, ['-F', 'QBS-FORWARD'])
+            self.run_ipt(6,
+                ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'])
             self.run_ipt(6, ['-A', 'QBS-FORWARD', '-j', 'DROP'])
         except subprocess.CalledProcessError:
             self.log_error('\'QBS-FORWARD\' chain not found, create it first')
@@ -579,6 +583,7 @@ class NftablesWorker(FirewallWorker):
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
             '    ct state established,related accept\n'
+            '    meta iifname != "vif*" accept\n'
             '  }}\n'
             '}}\n'
         )
diff --git a/qubesagent/test_firewall.py b/qubesagent/test_firewall.py
index 7270afd..93d4ab6 100644
--- a/qubesagent/test_firewall.py
+++ b/qubesagent/test_firewall.py
@@ -271,10 +271,14 @@ class TestIptablesWorker(TestCase):
 
     def test_006_init(self):
         self.obj.init()
-        self.assertEqual(self.obj.called_commands[4],
-            [['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
-        self.assertEqual(self.obj.called_commands[6],
-            [['-F', 'QBS-FORWARD'], ['-A', 'QBS-FORWARD', '-j', 'DROP']])
+        self.assertEqual(self.obj.called_commands[4], [
+            ['-F', 'QBS-FORWARD'],
+            ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
+            ['-A', 'QBS-FORWARD', '-j', 'DROP']])
+        self.assertEqual(self.obj.called_commands[6], [
+            ['-F', 'QBS-FORWARD'],
+            ['-A', 'QBS-FORWARD', '!', '-i', 'vif+', '-j', 'RETURN'],
+            ['-A', 'QBS-FORWARD', '-j', 'DROP']])
 
     def test_007_cleanup(self):
         self.obj.init()
@@ -435,6 +439,7 @@ class TestNftablesWorker(TestCase):
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
             '    ct state established,related accept\n'
+            '    meta iifname != "vif*" accept\n'
             '  }\n'
             '}\n'
             'table ip6 qubes-firewall {\n'
@@ -442,6 +447,7 @@ class TestNftablesWorker(TestCase):
             '    type filter hook forward priority 0;\n'
             '    policy drop;\n'
             '    ct state established,related accept\n'
+            '    meta iifname != "vif*" accept\n'
             '  }\n'
             '}\n'
         ])

From 836bf90e978b4ef4b4a547de9390c553eae3d8db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Fri, 6 Apr 2018 01:52:11 +0200
Subject: [PATCH 3/3] network: make sure static NM configuration is created
 before NM start

Avoid delays caused by default DHCP configuration, which would be used
if no alternative is available at NetworkManager start time.
---
 network/network-manager-prepare-conf-dir | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/network/network-manager-prepare-conf-dir b/network/network-manager-prepare-conf-dir
index d56b996..7eb09c1 100755
--- a/network/network-manager-prepare-conf-dir
+++ b/network/network-manager-prepare-conf-dir
@@ -16,4 +16,15 @@ unmanaged_devices=mac:fe:ff:ff:ff:ff:ff
 sed -r -i -e "s/^#?unmanaged-devices=.*/unmanaged-devices=$unmanaged_devices/" /etc/NetworkManager/NetworkManager.conf
 sed -r -i -e "s/^#?plugins=.*/plugins=keyfile/" /etc/NetworkManager/NetworkManager.conf
 
+# setup uplink configuration if applicable - this needs to be done before
+# starting NetworkManager, otherwise it will try default DHCP configuration
+# first and only after a timeout fallback to static one - introducing delay in
+# network connectivity
+export INTERFACE=eth0
+if qubesdb-read /qubes-ip >/dev/null 2>/dev/null &&
+        [ -e /sys/class/net/$INTERFACE ] &&
+        [ ! -r /etc/NetworkManager/system-connections/qubes-uplink-$INTERFACE ]; then
+    /usr/lib/qubes/setup-ip
+fi
+
 exit 0